<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"gwashitgton.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":true,"style":"mac"},"back2top":{"enable":true,"sidebar":false,"scrollpercent":true},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":true,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":"enable","trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="Windows日志简要解析">
<meta property="og:type" content="article">
<meta property="og:title" content="Windows日志简要解析">
<meta property="og:url" content="https://gwashitgton.gitee.io/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/">
<meta property="og:site_name" content="Enterprise">
<meta property="og:description" content="Windows日志简要解析">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200424135920.png">
<meta property="article:published_time" content="2020-04-24T13:19:20.000Z">
<meta property="article:modified_time" content="2020-04-27T14:30:07.219Z">
<meta property="article:author" content="Odin">
<meta property="article:tag" content="Windows">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200424135920.png">

<link rel="canonical" href="https://gwashitgton.gitee.io/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>Windows日志简要解析 | Enterprise</title>
  


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?a3850f6ef1a87fae200c86d8a5c3a0d7";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="Enterprise" type="application/atom+xml">
</head>
<script type="text/javascript" src="/js/love.js"></script>
<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Enterprise</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">纸上得来终觉浅，绝知此事要躬行</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>

  <a href="https://github.com/Grergo" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://gwashitgton.gitee.io/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200422132544.JPG">
      <meta itemprop="name" content="Odin">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Enterprise">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Windows日志简要解析
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2020-04-24 21:19:20" itemprop="dateCreated datePublished" datetime="2020-04-24T21:19:20+08:00">2020-04-24</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2020-04-27 22:30:07" itemprop="dateModified" datetime="2020-04-27T22:30:07+08:00">2020-04-27</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/Windows/" itemprop="url" rel="index"><span itemprop="name">Windows</span></a>
                </span>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="far fa-comment"></i>
      </span>
      <span class="post-meta-item-text">Valine：</span>
    
    <a title="valine" href="/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/" itemprop="commentCount"></span>
    </a>
  </span>
  
  <br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>3k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>3 分钟</span>
            </span>
            <div class="post-description">Windows日志简要解析</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <a id="more"></a>
<!-- markdownlint-disable MD041 MD002-->

<h3 id="简介："><a href="#简介：" class="headerlink" title="简介："></a>简介：</h3><p>Windows操作系统在运行过程中会记录大量日志信息。这些日志主要包括<strong>Windows 事件日志、IIS日志、FTP日志、Exchange Server邮件服务日志、SQL Server 数据库日志</strong>。</p>
<p>Windows 日志文件以特定的数据结构存储，每个记录事件的数据结构包含9个元素：<strong>日期/时间、事件类型、用户、计算机、事件ID、来源、类别、描述、数据</strong>。 查看日志可以通过系统自带的事件查看器查看。</p>
<p>Windows系统内置三个核心日志文件：<strong>System、Security、Application</strong>，默认大小均为20480kB也就是20MB，记录数据超过20MB时会覆盖过期的日志记录；其他的应用程序以及服务日志默认大小均为1MB，超过这个大小一样的处理方法。</p>
<h3 id="日志类型："><a href="#日志类型：" class="headerlink" title="日志类型："></a>日志类型：</h3><p>Windows 事件日志共有5种类型，所有的事件类型必须是这5种的其中一种，而且只能是一种。这5种事件类型分别是：</p>
<table>
<thead>
<tr>
<th align="center">事件类型</th>
<th align="center">注释</th>
</tr>
</thead>
<tbody><tr>
<td align="center">信息（Information）</td>
<td align="center">指应用程序、驱动程序、或服务的成功操作事件</td>
</tr>
<tr>
<td align="center">警告（Warning）</td>
<td align="center">警告事件不是直接的、主要的，但是会导致将来问题的发生</td>
</tr>
<tr>
<td align="center">错误（Error）</td>
<td align="center">指用户应该知晓的重要问题</td>
</tr>
<tr>
<td align="center">成功审核（Success Audit）</td>
<td align="center">主要指安全性日志，记录用户的登录/注销、对象访问、特权使用、账户管理、策略更改、详细跟踪、目录服务访问、账户登录事件</td>
</tr>
<tr>
<td align="center">失败审核（Failure Audit）</td>
<td align="center">失败的审核安全登录尝试</td>
</tr>
</tbody></table>
<p>事件日志文件类型：</p>
<table>
<thead>
<tr>
<th align="center">类别</th>
<th align="center">类型</th>
<th align="center">描述</th>
<th align="center">文件名</th>
</tr>
</thead>
<tbody><tr>
<td align="center">Windows日志</td>
<td align="center">系统</td>
<td align="center">包含系统进程，设备磁盘活动等。事件记录了设备驱动无法正常启动或停止，硬件失败，重复IP地址，系统进程的启动，停止及暂停等行为。</td>
<td align="center">System.evtx</td>
</tr>
<tr>
<td align="center">Windows日志</td>
<td align="center">安全</td>
<td align="center">包含安全性相关的事件，如用户权限变更，登录及注销，文件及文件夹访问，打印等信息。</td>
<td align="center">Security.evtx</td>
</tr>
<tr>
<td align="center">Windows日志</td>
<td align="center">应用程序</td>
<td align="center">包含操作系统安装的应用程序软件相关的事件。事件包括了错误、警告及任何应用程序需要报告的信息，应用程序开发人员可以决定记录哪些信息。</td>
<td align="center">Application.evtx</td>
</tr>
<tr>
<td align="center">应用程序及服务日志</td>
<td align="center">Microsoft</td>
<td align="center">Microsoft文件夹下包含了200多个微软内置的事件日志分类，只有部分类型默认启用记录功能，如远程桌面客户端连接、无线网络、有线网路、设备安装等相关日志。</td>
<td align="center">详见日志存储目录对应文件</td>
</tr>
<tr>
<td align="center">应用程序及服务日志</td>
<td align="center">Microsoft Office Alters</td>
<td align="center">微软Office应用程序（包括Word/Excel/PowerPoint等）的各种警告信息，其中包含用户对文档操作过程中出现的各种行为，记录有文件名、路径等信息。</td>
<td align="center">OAerts.evtx</td>
</tr>
<tr>
<td align="center">应用程序及服务日志</td>
<td align="center">Windows PowerShell</td>
<td align="center">Windows自带的Powershell的日志信息</td>
<td align="center">Windows Powersh.evtx</td>
</tr>
<tr>
<td align="center">应用程序及服务日志</td>
<td align="center">Internet Explore</td>
<td align="center">IE浏览器应用程序的日志信息，默认未启用</td>
<td align="center">InternetExplotrer.evtx</td>
</tr>
</tbody></table>
<p>日志文件存放位置：%SystemRoot%\System32\winevt\Logs</p>
<h3 id="常见的事件ID对应表："><a href="#常见的事件ID对应表：" class="headerlink" title="常见的事件ID对应表："></a>常见的事件ID对应表：</h3><p><strong>适用于Win8/Win10/Server2008/Server2012 以及以后版本</strong></p>
<table>
<thead>
<tr>
<th>事件ID</th>
<th>说明</th>
</tr>
</thead>
<tbody><tr>
<td>1102</td>
<td>清理审计日志</td>
</tr>
<tr>
<td>4624</td>
<td>账号登录成功</td>
</tr>
<tr>
<td>4625</td>
<td>账号登录失败</td>
</tr>
<tr>
<td>4672</td>
<td>授予特殊权限</td>
</tr>
<tr>
<td>4720</td>
<td>创建用户</td>
</tr>
<tr>
<td>4726</td>
<td>删除用户</td>
</tr>
<tr>
<td>4728</td>
<td>将成员添加到启用安全的全局组中</td>
</tr>
<tr>
<td>4729</td>
<td>将成员从安全的全局组中移除</td>
</tr>
<tr>
<td>4732</td>
<td>将成员添加到启用安全的本地组中</td>
</tr>
<tr>
<td>4733</td>
<td>将成员从启用安全的本地组中移除</td>
</tr>
<tr>
<td>4756</td>
<td>将成员添加到启用安全的通用组中</td>
</tr>
<tr>
<td>4757</td>
<td>将成员从启用安全的通用组中移除</td>
</tr>
<tr>
<td>4719</td>
<td>系统审计策略修改</td>
</tr>
</tbody></table>
<p>其余事件ID可以通过此网站查找：<a href="http://www.eventid.net/search.asp" target="_blank" rel="noopener">http://www.eventid.net/search.asp</a></p>
<p>这五类事件中最重要的是成功审核(Success Audit)，所有系统登录成功都会被标记为成功审核。每个成功登录事件都会标记一个登录类型。</p>
<table>
<thead>
<tr>
<th align="center">登录类型</th>
<th align="left">描述</th>
</tr>
</thead>
<tbody><tr>
<td align="center">2</td>
<td align="left">交互式登录(用户从控制台登录)</td>
</tr>
<tr>
<td align="center">3</td>
<td align="left">网络(通过net、use访问共享网络)</td>
</tr>
<tr>
<td align="center">4</td>
<td align="left">批处理</td>
</tr>
<tr>
<td align="center">5</td>
<td align="left">服务启动，由服务控制管理器启动</td>
</tr>
<tr>
<td align="center">7</td>
<td align="left">解锁(带密码保护的屏幕保护程序的无人值班工作站)</td>
</tr>
<tr>
<td align="center">8</td>
<td align="left">网络明文（IIS服务器登录验证）</td>
</tr>
<tr>
<td align="center">9</td>
<td align="left">新凭据登录 （呼叫方为出站连接克隆了其当前令牌和指定的新凭据。 新登录会话具有相同的本地标识，但对其他网络连接使用不同的凭据。）</td>
</tr>
<tr>
<td align="center">10</td>
<td align="left">终端服务，远程桌面，远程辅助</td>
</tr>
<tr>
<td align="center">11</td>
<td align="left">使用存储在计算机本地的网络凭据登录到此计算机的用户。 未联系域控制器以验证凭据。</td>
</tr>
</tbody></table>
<h3 id="Windows-日志格式："><a href="#Windows-日志格式：" class="headerlink" title="Windows 日志格式："></a>Windows 日志格式：</h3><p>事件日志(Evtx) 是一种二进制格式的文件：</p>
<p><img src="https://gitee.com/GWashitgton/Picture/raw/master/image/20200424135920.png" alt="image-20200424135911618"></p>
<p>Evtx 文件结构包括三部分：文件头、数据块、结尾空值。</p>
<p>文件头部4096字节。文件头部签名：45 6C 66 46 69 6C 65 00（ElfFile\x00）。 </p>
<p>文件头部结构如下：</p>
<table>
<thead>
<tr>
<th align="center">偏移</th>
<th align="center">长度</th>
<th align="center">值</th>
<th align="center">描述</th>
</tr>
</thead>
<tbody><tr>
<td align="center">0</td>
<td align="center">8</td>
<td align="center">ElfFile\x00</td>
<td align="center">文件签名</td>
</tr>
<tr>
<td align="center">8</td>
<td align="center">8</td>
<td align="center"></td>
<td align="center">第一个数据块</td>
</tr>
<tr>
<td align="center">16</td>
<td align="center">8</td>
<td align="center"></td>
<td align="center">最后一个数据块</td>
</tr>
<tr>
<td align="center">24</td>
<td align="center">8</td>
<td align="center"></td>
<td align="center">下一个记录标识符</td>
</tr>
<tr>
<td align="center">32</td>
<td align="center">4</td>
<td align="center">128</td>
<td align="center">头大小</td>
</tr>
<tr>
<td align="center">36</td>
<td align="center">2</td>
<td align="center">1</td>
<td align="center">次版本号</td>
</tr>
<tr>
<td align="center">38</td>
<td align="center">2</td>
<td align="center">3</td>
<td align="center">主版本号</td>
</tr>
<tr>
<td align="center">40</td>
<td align="center">2</td>
<td align="center">4096</td>
<td align="center">数据块的偏移量</td>
</tr>
<tr>
<td align="center">42</td>
<td align="center">2</td>
<td align="center"></td>
<td align="center">数据块的数量</td>
</tr>
<tr>
<td align="center">44</td>
<td align="center">76</td>
<td align="center"></td>
<td align="center">空值</td>
</tr>
<tr>
<td align="center">120</td>
<td align="center">4</td>
<td align="center"></td>
<td align="center">文件标志</td>
</tr>
<tr>
<td align="center">124</td>
<td align="center">4</td>
<td align="center"></td>
<td align="center">校验和</td>
</tr>
<tr>
<td align="center">128</td>
<td align="center">3968</td>
<td align="center"></td>
<td align="center">空值</td>
</tr>
</tbody></table>
<p>Windows 事件日志大小是由数据块的数量决定的，事件日志文件大小=（数据块的数量x65536）+4096。文件标志如下：</p>
<table>
<thead>
<tr>
<th>值</th>
<th>标识符</th>
<th>描述</th>
</tr>
</thead>
<tbody><tr>
<td>0x0001</td>
<td></td>
<td>已更新</td>
</tr>
<tr>
<td>0x0002</td>
<td></td>
<td>已填充</td>
</tr>
</tbody></table>
<p>每个数据块的大小是65536字节，数据块首部标签名是45 6C 66 43 68 6E 6B 00(ElfChnk\x00)，数据块是由数据块头部，事件记录，闲置空间组成。数据块文件头大小是512字节，结构如下：</p>
<table>
<thead>
<tr>
<th>偏移量</th>
<th>长度</th>
<th>值</th>
<th>描述</th>
</tr>
</thead>
<tbody><tr>
<td>0</td>
<td>8</td>
<td>ElfChnk\x00</td>
<td>标签</td>
</tr>
<tr>
<td>8</td>
<td>8</td>
<td></td>
<td>第一个事件记录编号</td>
</tr>
<tr>
<td>16</td>
<td>8</td>
<td></td>
<td>最后一个事件编号</td>
</tr>
<tr>
<td>24</td>
<td>8</td>
<td></td>
<td>第一个事件记录标识符</td>
</tr>
<tr>
<td>32</td>
<td>8</td>
<td></td>
<td>最后一个事件标识符</td>
</tr>
<tr>
<td>40</td>
<td>4</td>
<td>128</td>
<td>指针数据偏移量</td>
</tr>
<tr>
<td>44</td>
<td>4</td>
<td></td>
<td>最后一个事件记录数据偏移量</td>
</tr>
<tr>
<td>48</td>
<td>4</td>
<td></td>
<td>自由空间偏移</td>
</tr>
<tr>
<td>52</td>
<td>4</td>
<td></td>
<td>事件记录校验和（CRC32）</td>
</tr>
<tr>
<td>56</td>
<td>64</td>
<td></td>
<td>空值</td>
</tr>
<tr>
<td>120</td>
<td>4</td>
<td></td>
<td>未知</td>
</tr>
<tr>
<td>124</td>
<td>4</td>
<td></td>
<td>校验和（头部前120字节和第128字节到512字节）</td>
</tr>
</tbody></table>
<p> 数据块里有多条事件记录，一条事件记录对应一条日志信息。一条事件记录由以下部分组成：</p>
<table>
<thead>
<tr>
<th>偏移量</th>
<th>长度</th>
<th>值</th>
<th>描述</th>
</tr>
</thead>
<tbody><tr>
<td>0</td>
<td>4</td>
<td>“\x2a\x2a\x00\x00”</td>
<td>签名</td>
</tr>
<tr>
<td>4</td>
<td>4</td>
<td></td>
<td>事件块大小</td>
</tr>
<tr>
<td>8</td>
<td>8</td>
<td></td>
<td>事件记录标识符</td>
</tr>
<tr>
<td>16</td>
<td>8</td>
<td></td>
<td>事件记录写入时间</td>
</tr>
<tr>
<td>24</td>
<td></td>
<td></td>
<td>事件内容</td>
</tr>
<tr>
<td></td>
<td>4</td>
<td></td>
<td>尺寸拷贝</td>
</tr>
</tbody></table>
<h3 id="Windows-取证分析注意要点"><a href="#Windows-取证分析注意要点" class="headerlink" title="Windows 取证分析注意要点"></a>Windows 取证分析注意要点</h3><p>windows 事件查看器没有提供删除特定日志的功能，也就说溯源取证时，可以直接按照事件ID，按照特定的时间点进行回溯。但是！但是！ 通过特殊方法可以使事件查看器不显示特定的日志，前边说到一条事件记录偏移量为4处是事件块大小，也就说我们可以通过修改事件块大小，使其长度覆盖下一条日志，这样事件查看器解析系统日志时，就会跳过下一条日志，这样就使得特定事件被隐藏掉了。同时为了修改后的日志文件能够正常显示，我们还需要修改多个标志位和重新计算校验和。</p>
<p>参考链接：</p>
<blockquote>
<p><a href="https://www.freebuf.com/vuls/175560.html" target="_blank" rel="noopener">https://www.freebuf.com/vuls/175560.html</a></p>
<p><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events</a></p>
<p><a href="https://github.com/libyal/libevtx/blob/master/documentation/Windows" target="_blank" rel="noopener">https://github.com/libyal/libevtx/blob/master/documentation/Windows</a> XML Event Log (EVTX).asciidoc</p>
</blockquote>

    </div>
    <div>
  
    <div>
    
        <div style="text-align:center;color: #ccc;font-size:14px;">-------------本文结束<i class="fa fa-paw"></i>感谢您的阅读-------------</div>
    
</div>
  
</div>

    
    
    
      
       
        
<div class="my_post_copyright">
  <script src="//cdn.bootcss.com/clipboard.js/1.5.10/clipboard.min.js"></script>
  
  <!-- JS库 sweetalert 可修改路径 -->
  <script src="https://cdn.bootcss.com/jquery/2.0.0/jquery.min.js"></script>
  <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  <p><span>本文标题:</span><a href="/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/">Windows日志简要解析</a></p>
  <p><span>文章作者:</span><a href="/" title="访问 Odin 的个人博客">Odin</a></p>
  <p><span>发布时间:</span>2020年04月24日 - 21:04</p>
  <p><span>最后更新:</span>2020年04月27日 - 22:04</p>
  <p><span>原始链接:</span><a href="/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/" title="Windows日志简要解析">https://gwashitgton.gitee.io/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/</a>
    <span class="copy-path"  title="点击复制文章链接"><i class="fa fa-clipboard" data-clipboard-text="https://gwashitgton.gitee.io/2020/04/24/Windows%E6%97%A5%E5%BF%97%E7%AE%80%E8%A6%81%E8%A7%A3%E6%9E%90/"  aria-label="复制成功！"></i></span>
  </p>
  <p><span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">署名-非商业性使用-禁止演绎 4.0 国际</a> 转载请保留原文链接及作者。</p>  
</div>
<script> 
    var clipboard = new Clipboard('.fa-clipboard');
    $(".fa-clipboard").click(function(){
      clipboard.on('success', function(){
        swal({   
          title: "",   
          text: '复制成功',
          icon: "success", 
          showConfirmButton: true
          });
    });
    });  
</script>

      
        <div class="reward-container">
  <div>如果对您有帮助，请赞助一下吧</div>
  <button onclick="var qr = document.getElementById('qr'); qr.style.display = (qr.style.display === 'none') ? 'block' : 'none';">
    打赏
  </button>
  <div id="qr" style="display: none;">
      
      <div style="display: inline-block;">
        <img src="/images/wechatpay.png" alt="Odin 微信支付">
        <p>微信支付</p>
      </div>
      
      <div style="display: inline-block;">
        <img src="/images/alipay.png" alt="Odin 支付宝">
        <p>支付宝</p>
      </div>

  </div>
</div>

        

  <div class="followme">
    <p>欢迎关注我的其它发布渠道</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/Windows/" rel="tag"><i class="fa fa-tag"></i> Windows</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2020/04/23/Linux%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E5%8A%A0%E5%9B%BA/" rel="prev" title="Linux系统安全加固">
      <i class="fa fa-chevron-left"></i> Linux系统安全加固
    </a></div>
      <div class="post-nav-item">
    <a href="/2020/04/27/%E5%A6%82%E4%BD%95%E9%9A%90%E8%97%8F%E6%8C%87%E5%AE%9A%E6%9D%A1Windows%E4%BA%8B%E4%BB%B6%E6%97%A5%E5%BF%97/" rel="next" title="如何隐藏指定条Windows事件日志">
      如何隐藏指定条Windows事件日志 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          
    <div class="comments" id="valine-comments"></div>

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-3"><a class="nav-link" href="#简介："><span class="nav-number">1.</span> <span class="nav-text">简介：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#日志类型："><span class="nav-number">2.</span> <span class="nav-text">日志类型：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#常见的事件ID对应表："><span class="nav-number">3.</span> <span class="nav-text">常见的事件ID对应表：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Windows-日志格式："><span class="nav-number">4.</span> <span class="nav-text">Windows 日志格式：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Windows-取证分析注意要点"><span class="nav-number">5.</span> <span class="nav-text">Windows 取证分析注意要点</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Odin"
      src="https://gitee.com/GWashitgton/Picture/raw/master/image/20200422132544.JPG">
  <p class="site-author-name" itemprop="name">Odin</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">20</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">6</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">11</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/Grergo" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;Grergo" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:weikangwang730@gmail.com" title="E-Mail → mailto:weikangwang730@gmail.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Odin</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
      <span class="post-meta-item-text">站点总字数：</span>
    <span title="站点总字数">59k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
      <span class="post-meta-item-text">站点阅读时长 &asymp;</span>
    <span title="站点阅读时长">54 分钟</span>
</div>

        








      </div>
    </footer>
  </div>

  
  <script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  <script src="/lib/anime.min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js"></script>
  <script src="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>









<script>
document.querySelectorAll('.pdfobject-container').forEach(element => {
  let url = element.dataset.target;
  let pdfOpenParams = {
    navpanes : 0,
    toolbar  : 0,
    statusbar: 0,
    pagemode : 'thumbs',
    view     : 'FitH'
  };
  let pdfOpenFragment = '#' + Object.entries(pdfOpenParams).map(([key, value]) => `${key}=${encodeURIComponent(value)}`).join('&');
  let fullURL = `/lib/pdf/web/viewer?file=${encodeURIComponent(url)}${pdfOpenFragment}`;

  if (NexT.utils.supportsPDFs()) {
    element.innerHTML = `<embed class="pdfobject" src="${url + pdfOpenFragment}" type="application/pdf" style="height: ${element.dataset.height};">`;
  } else {
    element.innerHTML = `<iframe src="${fullURL}" style="height: ${element.dataset.height};" frameborder="0"></iframe>`;
  }
});
</script>




  

  

<script>
NexT.utils.loadComments(document.querySelector('#valine-comments'), () => {
  NexT.utils.getScript('https://cdn.jsdelivr.net/npm/valine@1.4.7/dist/Valine.min.js', () => {
    var GUEST = ['nick', 'mail', 'link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item => {
      return GUEST.includes(item);
    });
    new Valine({
      el         : '#valine-comments',
      verify     : true,
      notify     : false,
      appId      : '9avK28PbOuQyIMAUY8akDkwc-gzGzoHsz',
      appKey     : 'XKxrXsCfnD7W4M7AwOCslEvq',
      placeholder: "说点什么吧",
      avatar     : 'hide',
      meta       : guest,
      pageSize   : '10' || 10,
      visitor    : false,
      lang       : 'zh-cn' || 'zh-cn',
      path       : location.pathname,
      recordIP   : false,
      serverURLs : ''
    });
  }, window.Valine);
});
</script>

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"log":false,"model":{"jsonPath":"/live2dw/assets/z16.model.json"},"display":{"position":"left","width":200,"height":300},"mobile":{"show":false},"react":{"opacity":0.9}});</script></body>
</html>
